Perl: Why is . not anymore part of @INC in Debian 9?

Question

In installing Debian 9 I found out that . is not anymore part of @INC.

Perl (v5.24.1) built for x86_64-linux-gnu-thread-multi

Built under linux
Compiled at Jan 15 2017 23:35:20
@INC:
 /etc/perl
 /usr/local/share/perl/5.24.1
 /usr/lib/x86_64-linux-gnu/perl5/5.24
 /usr/share/perl5
 /usr/lib/x86_64-linux-gnu/perl/5.24
 /usr/share/perl/5.24
 /usr/local/lib/site_perl
 /usr/lib/x86_64-linux-gnu/perl-base

Does anyone know why?

Answer 1

Because . has been removed from @INC for core modules in 5.24.1. That's a security feature to prevent an exploit that this blog post talks about.

In February, I opened a ticket with Perl 5 Porters to get them to accept a non-default option to remove . from @INC. Unfortunately, I was beaten to the punch and an exploit was disclosed to Perl 5 Security. TL;DR: There are now known insecurities about having . in @INC.

The change is documented in perldelta for 5.24.1.

This prevents an attacker injecting an optional module into a process run by another user where the current directory is writable by the attacker, e.g. the /tmp directory.

It will most likely be removed completely in 5.26. Here's more discussion on the p5p mailing list, taken from this blog post.

Here are (some of) the commits that make these changes.

The Perl Pumpkin Sawyer X also explains this in the talk Perl 5.24, 5.26, and the Future of Perl 5 he gave at FOSDEM 2017. Here is the recording of the talk¹.

---

^{1) all videos from the Perl room at FOSDEM 2017}